Why Are We Introducing this Solution Now?
Many computers have been infected by some type of
virus. We did not have a solution that could
effectively quarantine systems until proven “clean”;
thus, many unprotected systems became infected as
soon as they were physically plugged into the network.
The best way to prevent this from happening is to insure
that virus software and OS critical update/patches are
current and maintained. This will also benefit users
who did connect systems that were current with both OS
patches and anti-virus software since they suffered
delays in Internet and other network access due to the
excessive traffic caused by the infected machines.
What Networks Require Validation?
We are deploying the validation solution to the student
residential network in the Spring of 2005..
How Does Validation Work?
The validation solution will “trap” any Internet browser
access and redirect the user to a web page that
instructs the user to download and install the
validation client known as “Clean Access Agent”.
Once
launched, the client downloads the validation rules and
processes these. If the workstation fails the test, it
is allowed Internet access only to the remediation sites
for a period of 90 minutes. Once corrected, full
network access is provided.
What is Cisco Clean Access?
Clean Access (formerly Perfigo) is a solution provided
by Cisco, Inc. that performs network validation. The
software performs the following functions:
• Require authentication to the network
• Validate whether the system connecting to the network
meets the minimum security standards.
• Quarantines the system until it meets the minimum
security standards.
• Provides access to the remediation sites.
• Once the system is validated as “clean,” allows access
to the network.
What is Clean Access Agent?
Clean Access Agent is the client application that can
check certain security settings on any Microsoft Windows
PC to make sure that the system is up-to-date with
required security patches and report this status to the
Clean Access Server. No information about the user or
the content of user files is sent to the server. Each
user must use Clean Access Agent for his/her Microsoft
Windows PC in order to authenticate and use the
university network.
What Validation Checks are Being Performed?
We are configuring Clean Access to validate the
following:
• Run Nessus scans for known vulnerabilities.
• Check for current release of Symantec anti-virus
software and current virus definitions.
• Check for current Windows OS Patches.
How Does Validation Work for Macintosh Users?
Macintosh users must authenticate by logging in via a
web page. The only validation check for Macintosh
systems is the Nessus scan. There is no client, which
is downloaded to Macintosh systems.
How Does Validation Work for Linux Users?
Linux users must authenticate by logging in via a web
page. The only validation check for Linux systems is
the Nessus scan. There is no client, which is
downloaded to Linux systems.
What About Xboxes, PlayStations, etc.?
These devices must be configured and registered in the
Clean Access. Students should call the help desk at
626-2283 or send an e-mail to help@northern.edu. The
help desk agents will notify the security staff
to register the device.
What Remediation is Available?
Authentication Failure. If a user’s systems fails
authentication, the user is instructed to provide the
correct university network username and password. If
the user has forgotten his/her password, he/she is
instructed to call the help desk at 626-2283 for help.
Anti-Virus Failure. If the user’s
system fails the check for current anti-virus software,
the user is provided a download either for the software
itself or for the current engine and virus definition
files.
Microsoft Windows Patch Failure. If
the user’s system fails the check for current critical
OS patches, the user is instructed to click on the URL
for the Microsoft Windows update site and follow the
instructions
Copyright 2005
William Woods University
